[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Fri Jun 18 16:22:24 2004 -->
- <!--x-from-r13: obo ng irelfrpheryvahk.pbz (Pbo Fbkra) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Safe apt-get repositoris -->
- <li><em>date</em>: Fri Jun 18 16:22:24 2004</li>
- <li><em>from</em>: bob at verysecurelinux.com (Bob Toxen)</li>
- <li><em>in-reply-to</em>: <<a href="msg00432.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00432.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Safe apt-get repositoris</li>
> I guess I am really asking where the best/safest repositories are for
> Redhat?
> What are they for SuSE?
Trust only from known places such as the primary sites and mirrors obtained
as links from them and other well-known sites such as GA Tech and Ibiblio.
Increase your confidence by using any or all of:
1. Download from more than one site and compare the md5sum or sha1sum
results.
2. Verify the PGP signatures (and the validity of the certificate).
Btw, trusting the MD5 or SHA1 sum obtained from the same site as
the software was downloaded from is NOT good security. If the
site is compromised, it is trivial to compromise the MD5 or SHA1
sum.
The PGP signature is much harder to compromise IF its maintainer
uses good security, such as keeping the secret certificate off
the Internet, etc.
3. Wait a week or two after obtaining the download and then check back
on the site and see if they announce any recent compromises or if
you hear of any from suitable news groups.
> Do people stray, when using Debian or Gentoo, to repositories outside of
> the normal distribution channels for packages not in the main Gentoo/Debian
> mirrors?
> Dow
> --
> __________________________________________________________
> Dow Hurst Office: 770-499-3428 *
> Systems Support Specialist Fax: 770-423-6744 *
> 1000 Chastain Rd. Bldg. 12 *
> Chemistry Department SC428 Email: dhurst at kennesaw.edu *
> Kennesaw State University Dow.Hurst at mindspring.com *
> Kennesaw, GA 30144 *
> ************************************************************
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
<a rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a> [Network&Linux/Unix security consulting]
<a rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00432" href="msg00432.html">[ale] Safe apt-get repositoris</a></strong>
<ul><li><em>From:</em> dhurst at kennesaw.edu (Dow Hurst)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00432.html">[ale] Safe apt-get repositoris</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00434.html">[ale] Safe apt-get repositoris</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00432.html">[ale] Safe apt-get repositoris</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00435.html">[ale] Safe apt-get repositoris</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00433"><strong>Date</strong></a></li>
<li><a href="threads.html#00433"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>